Current Situation

As many of you in the Tox community have likely already heard, a serious situation was brought to our attention which has forced the Tox development team to disassociate itself from the Tox Foundation, along with its sole board member, Sean Qureshi (aka Stqism, aka AlexStraunoff, aka NikolaiToryzin). We learned by Sean’s own admission that he “took a loan against the Tox Foundation”, and used the entirety of the foundation’s funds on personal expenses completely unrelated to the project. He did not inform anyone about his actions prior to taking them, then proceeded to disappear for weeks once we found out, ignoring our attempts to contact him and get an explanation.

The exact amount that he took is unknown due to his having complete control over our finances, but it is in the low-thousands. This fund regrettably included a small amount of donation money, but was primarily made up of money that we received by participating in Google Summer of Code last summer.

First, we want to sincerely apologize to the community and take responsibility. We could not have predicted that something like this would happen, but we certainly could have handled our finances in a more responsible and transparent manner. While our development team consists of many skilled programmers and designers, none of us are experienced in business or financial matters. This led us to put too much trust and power into the hands of a single person, who turned out to be just the sort of person who would take advantage of such a situation. We can blame no one but ourselves for this.

Unfortunately, Sean refuses to take responsibility for what he has done, and seems to carry the attitude that what he did was perfectly acceptable. Despite our having spent a great deal of time and effort trying to engage with him, giving him opportunities to pay us back and redeem himself (which is part of the reason why we have waited this long to make an official post about it), he has shown no remorse for his actions, and continues to hold some of our infrastructure “hostage”. This includes the tox.im, toxme.se, and libtoxcore.so domains. For this reason, we have have also been forced to disassociate ourselves with the aforementioned domains and begin again from scratch with a new domain, tox.chat.

In spite of the damage that has been done—which we do not wish to understate—we’d like to look on the bright side of things and consider this a very expensive lesson learned in project management, and life in general. We’ve lost some money, but we’ve gained a ton of insight. We have also been lucky enough to have a few long-standing members of the community step up and help us out with things like server management, and we should have everything back to normal in a short while, with a stronger and better equipped team than before.

As far as finances go, we are not going to repeat the same mistakes twice. We will not be taking any official donations* until we have set up a proper organization with an emphasis on transparency and protection of assets (more details on this at a future date).

In the mean time, we hope that you will continue to support us, if not financially, then in spirit. Despite all of this drama, we have not lost sight of our vision to provide secure, private communications for everyone. Tox development hasn’t had so much as a hiccup in the midst of all this; our second run at Google Summer of Code is going better than our first, and the number of enthusiastic developers who share our vision continues to grow.

Thank you for your understanding and continued support.

* If you still want to give personal donations to individual developers, most of us have bitcoin wallets or paypal accounts and can be reached in IRC (#tox and #tox-dev @ freenode)

This
An M of N solution with bitcoin is better than a bank account (that can be used by anyone with access, have invoices pulled from it, etc), and is better for long-term storage of funds.
Bitcoin isn’t as liquid as I want it to be, but it can be distributed to individuals easily and has less than a 1% fee to be changed back into USD (still a lot, but it’s lower on some exchanges).

This is a way over-due blog post and glad to see we as a a community are finally getting on with things. I will continue to help on small commits as I can and promote uptake in my work life to help get more eyes and hopefully devs / assistance on the project. I will also in a few months be in a better state to also help with server / blog / site management (in process of spinning my own up for personal projects).

Out of curiosity, what kind of a job does he have? In general, it’s wise to trust people that have their back covered financially so that they don’t get pathetic excuses why some money would belong to them.

I have read that Stqism used the stolen money to pay for his college. Is it known which college he goes to? If it is, this must be brought to the board of that college. Since money he stole were mostly from GSOC, was Google contacted about this? It must be done and it must be done now. Do it in a public letter. While the amount of money is really small, Google surely has enough influence and sharp lawyers to ruin any perspective of a career in the IT industry for this Stqism guy.

Not doing this will compromise the Tox team anyway. I’ve already heard speculations about other devs being accomplices in the “operation GSOC”, which had the purpose to get some quick money from Google. Your only way to whitewash yourselves is maximum transparency and exposure.

To reiterate irungentoo’s reply in that thread, yes you should uninstall any repos from tox.im, and you should not trust any new binaries from tox.im or libtoxcore.so. We have a new repo: https://wiki.tox.chat/binaries#gnulinux

Right now only qTox is in it, but we’re working on getting the rest of the clients up.

Just a note, we have no reason to believe that any binaries from the old repo/domains have been compromised. This is just a safety measure.

Jeez, people never stop to amaze me. I sincerely hope you guys will get up and running soon again, and applaud your effort and persistence. I must admit that I was unpleasantly surprised and confused when my FireFox returned the tox.im domain as “Connection untrusted”, although pinging it gave it as up, feeding XFiles style paranoia… ;-)

Related to that: do you guys plan to make sure that search engines no longer point to tox.im? Or is it your objective to regain the domain? After all, Google now just presents tox.im in its search as top result (blog.tox.chat isn’t there on 1st glance), and a “Connection untrusted” will also surely hurt and brand tox image and development. I suppose with Googles interest in this, this is not a labourious excercise?

I’m not involved at all in tox so I know no background what inspired this tox development split. However here are several things I don’t feel are quite right and corespond with each other…
Most of the articles on older blog.tox.im site were written by a poster named Sean.
I guess that’s the same person that is verry kindly discussing tox its clients features and all the related stuff on the #tox freenode IRC channel nicknamed NikolaiToryzin.
Having several alternative names including nicknames is not verry trustworthy at one side, however being so kind and activelly monitoring tox community and doing various usefull things is another good sign. Additionally I think all Sean’s articles on the blog.tox.im were well written. The final one where Sean was giving an initial brief tox project vs tox foundation split explanation was a kind of… I don’t know how to describe it. It was certainly put together in a hurry and does not fit with other his posts according to what I think.
It’s difficult to believe that’s such an evil you are showcasing here…

Hi – the tox.im Page now redirects here but: with new browsers I get a certificate error.
when someone searches the software and uses tox.im – maybe it would be nice when there is a link to tox.chat at the beginning of the blog post — greetings ddd

Actually it serves a a bit broken site with a valid SSL cert signed by Comodo on 2015-07-15.
By using HPKP (https://scotthelme.co.uk/hpkp-http-public-key-pinning/) you maybe could have prevented this – although he of course had access to the original TLS certificates too.

And some other questions:
* What about the old blog posts? You do not want to transfer them?
* Why not make this much more prominent on the hompepage of tox.chat so that users know that they should avoid tox.im the hell from now on.
And post it in the social media channels (if you have control over them).

By the way, Is there any undependent code audit was done ever?
Is it possible that some unfair contributor (named Sean or anyone else) include masked code for possible hidden injects/attacks to the network/users?

The old PPA has now been marked as unsafe, but what of the old site? I went to it recently and was told that CloudFlare (or something like that) couldn’t connect to it, so has the old site been shutdown or could I have got anything malicious from it like the old PPA? I don’t mean to be overly paranoid, however I just would like to make sure.